kuyaya Posted January 19, 2020 Posted January 19, 2020 I wrote a password grabber payload using Lazagne. I made a github repository, you can look it up here. I tried to make it as simple as possible. If there are any questions or advices for improvement, just post them here and I'll reply. Have fun with it!
Cap_Sig Posted January 29, 2020 Posted January 29, 2020 Nice payload! One issue is I'm pretty sure this will only work on a machine running Windows Defender. When adding the exception for the drive letter this will not work if the system has Windows Defender disabled due to having something like AVG installed as AV program. I plan to mess around with the payload some and post back.
kuyaya Posted January 31, 2020 Author Posted January 31, 2020 On 1/29/2020 at 3:04 PM, Cap_Sig said: Nice payload! One issue is I'm pretty sure this will only work on a machine running Windows Defender. When adding the exception for the drive letter this will not work if the system has Windows Defender disabled due to having something like AVG installed as AV program. I plan to mess around with the payload some and post back. Thank you 😄 Hmmmm....Do you know a way on how to turn off/make an exclusion on all AV's? I don't like scripts who just delete the whole AV, because that leaves many traces
narko Posted February 11, 2020 Posted February 11, 2020 So I tried yours and Password Grabber, for some reason both are creating a folder "LaZassword" in loot folder but nothing there, empty.. Any chance I missed anything? (Yeah I'm a newbie)
kuyaya Posted February 11, 2020 Author Posted February 11, 2020 On 2/11/2020 at 1:53 AM, narko said: So I tried yours and Password Grabber, for some reason both are creating a folder "LaZassword" in loot folder but nothing there, empty.. Any chance I missed anything? (Yeah I'm a newbie) Yep, got a mistake in the payload, I'm sorry. Fixed it. Go to my github and try it again please. But the password grabber payload shouldn't be creating a lazassword folder. It is normal for the password grabber payload not to work haha. I think you got the payload.txt mixed up. Please inform me if you tried it again and tell me if it has worked or not.
narko Posted February 15, 2020 Posted February 15, 2020 It is seems like everything is running, not in the background though. After looking inside loot folder I saw a new folder empty folder 'Lazassword'.
kuyaya Posted February 17, 2020 Author Posted February 17, 2020 On 2/15/2020 at 9:48 PM, narko said: It is seems like everything is running, not in the background though. After looking inside loot folder I saw a new folder empty folder 'Lazassword'. Is your issue solved? Or is it still persistent?
kuyaya Posted February 21, 2020 Author Posted February 21, 2020 Great, update is out! Now you can rely on the LED FINISH. I did this with a very easy while loop. You can look it up in the payload.txt. But that didn't work and I asked myself why. Then I did research and I found this post. This guy had the same idea as I. The reason it didn't work is, that if you create a file in the bunny while SSH, you can't see it in the explorer. Example: Quote root@bunny:~# mount -o sync /dev/nandf /root/udisk root@bunny:~# cd /root/udisk/loot root@bunny:~/udisk/loot# ls root@bunny:~/udisk/loot# nano testfile root@bunny:~/udisk/loot# ls testfile Got it? Now, there should be a testfile in explorer, but there isn't. Try it yourself, if you don't belive me. It also doesn't work the other way around. If you create a file in the loot folder by hand or with powershell (both does the same), it does show up in the bunny but the bunny can't recognize it. Example: Quote root@bunny:~# ls -l /root/udisk/loot/ ls: cannot access /root/udisk/loot/icreatedthisinexplorer.txt: No such file or directory total 0 -????????? ? ? ? ? ? icreatedthisinexplorer.txt See that? It just doesn't work together. It doesn't work from bunny to explorer, and also from explorer to bunny. The reason why this is even necessary is, that the while loop checks if there is a "done" file. If that isn't the case, it stays in LED ATTACK (yellow led). The second last part of the .ps1 file is, that it should create a "done" file in the /loot/LaZassword directory. But that wouldn't work, because the bunny wouldn't recognize it, as I explained above. That's why the last part of the .ps1 file is the ejection of the BB. Then the BB syncs with the explorer and recognizes the file, which breaks the loop, which then makes and LED FINISH. And you don't even have to laborious eject the BB by hand. That's great, isn't it? When you eject the bunny, you can't access him through explorer anymore, but he can still run commands. You can also still connect with PuTTY, that's why this method works. After the ejection, the bunny deletes the done file (if not, the loop would only work 1 time because there would be a done file, even when the payload isn't finished yet) and does an LED FINISH. @PoSHMagiC0de You brought me the solution, so I wrote you to the creds on my LaZassword payload. Is that okay for you? Please message me if not.
PoSHMagiC0de Posted February 28, 2020 Posted February 28, 2020 Don't know or remember what I added but ok.
kuyaya Posted February 28, 2020 Author Posted February 28, 2020 3 hours ago, PoSHMagiC0de said: Don't know or remember what I added but ok. You added the ejection of the bunny in this post
kuyaya Posted March 13, 2020 Author Posted March 13, 2020 Okay, update out! Now the payloads fully bypasses UAC and still runs lazagne as admin. Creds go again to PoshMagicCode, for his powershell UAC bypass. Thank you, it's really useful. Check it out! I made a pull request, so if it's good enough it would be published to the official repository. I would love to see it there!
kuyaya Posted March 15, 2020 Author Posted March 15, 2020 Another update, LaZassword got accepted and is now on the official hak5 repository. Yes!
kuyaya Posted April 22, 2020 Author Posted April 22, 2020 Hey guys, I'm here with another update. There was a bug that caused that the bunny didn't eject himself. The bug was caused because the script who does the ejection, runs on the bunny. While the script tells windows to eject the bunny, the script is still in use (on the bunny). Windows doesn't support ejecting devices who are in use. That means that I had to change the script so that the ejection commands will be executed from the computer and not from the bunny. I'll upload the update probably tomorrow on my github. I will make more improvements and adjustments until I'll make another pull request for the official hak5 github, so if you want to be sure that you have the latest version of LaZassword, go to my github on not to the hak5 github. Greetings, kuyaya Update is now online ^^
kuyaya Posted April 24, 2020 Author Posted April 24, 2020 I just found something interesting: Avast does not detect LaZagne when you download it or even use it. At least not the free version of avast. It only detects it when you do a specified scan on the folder or directly on lazagne. I'm working on bypassing all the different AV's (at least the most popular).... don't expect the update too soon but I'm working on it.
timchrist49 Posted April 29, 2020 Posted April 29, 2020 Hi, i ran into the same problem, i used the payload and there is no folder showing on the loot folder why is that ? sorry im a newbie 🙂
kuyaya Posted April 29, 2020 Author Posted April 29, 2020 are you sure that you did steup everything correctly? Remember these 3 points: lazagne.exe has to be in a zip file change the DUCKY_LANG=** to your language and change the word "administrators" in line 42 in bypass.ps1 to administrators in your language If you did all this and it still doesn't work, we can go on to the next step of troubleshooting.
benhsp Posted May 12, 2020 Posted May 12, 2020 On 4/29/2020 at 6:43 PM, kuyaya said: are you sure that you did steup everything correctly? Remember these 3 points: lazagne.exe has to be in a zip file change the DUCKY_LANG=** to your language and change the word "administrators" in line 42 in bypass.ps1 to administrators in your language If you did all this and it still doesn't work, we can go on to the next step of troubleshooting. Sorry for disturbing you, I have some questions now. 1.My computer language is Chinese Traditional. And its keyboard layout is QWERTY.So can I just use us.json file? 2.My default input is Chinese.This means that after USB is injected into win + R, you must enter shift to switch the input method to English before you can enter the command. Then where do I add this line of command. 3.About your third point "change the word "administrators" in line 42 in bypass.ps1 to administrators in your language". In my condition, I need to input administrators in Chinese or just in English? Thanks again for your reply! My English is not very good, please forgive me for the bad expression
kuyaya Posted May 12, 2020 Author Posted May 12, 2020 3 hours ago, benhsp said: Sorry for disturbing you, I have some questions now. 1.My computer language is Chinese Traditional. And its keyboard layout is QWERTY.So can I just use us.json file? 2.My default input is Chinese.This means that after USB is injected into win + R, you must enter shift to switch the input method to English before you can enter the command. Then where do I add this line of command. 3.About your third point "change the word "administrators" in line 42 in bypass.ps1 to administrators in your language". In my condition, I need to input administrators in Chinese or just in English? Thanks again for your reply! My English is not very good, please forgive me for the bad expression Hey there 1. If the keyboard layout is the default USA one, you should be fine with the us.json file. You don't even have to do "DUCKY_LANG=us", you can just delete the line because the default language is us 2. On line 23 in the payload.txt: delete the whole line and replace it with: Q GUI r Q SHIFT ENTER # If it is shift-enter, you can leave it like that, if it is enter-shift, you have to switch shift with enter. Q STRING "powerShell -windowstyle hidden -ExecutionPolicy Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\bypass.ps1')" Q ENTER 3. Your computer language is in Chinese, that means it should also be in chinese. Try replacing it with something like "管理員" (got this from google translate). If you are not sure wether it is in english or chinese, go to powershell and execute "Get-LocalGroup". Here you should see the different groups. If they are in english, "administrators" should work, if they are in chinese, "administrators" won't work. To be 100% sure, you can execute {Get-LocalGroupMember "administrators"} (without the {}). If it returns you an error, it is not in english. If it executes successfully, it is in english.
benhsp Posted May 12, 2020 Posted May 12, 2020 6 hours ago, kuyaya said: Hey there 1. If the keyboard layout is the default USA one, you should be fine with the us.json file. You don't even have to do "DUCKY_LANG=us", you can just delete the line because the default language is us 2. On line 23 in the payload.txt: delete the whole line and replace it with: Q GUI r Q SHIFT ENTER # If it is shift-enter, you can leave it like that, if it is enter-shift, you have to switch shift with enter. Q STRING "powerShell -windowstyle hidden -ExecutionPolicy Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\bypass.ps1')" Q ENTER 3. Your computer language is in Chinese, that means it should also be in chinese. Try replacing it with something like "管理員" (got this from google translate). If you are not sure wether it is in english or chinese, go to powershell and execute "Get-LocalGroup". Here you should see the different groups. If they are in english, "administrators" should work, if they are in chinese, "administrators" won't work. To be 100% sure, you can execute {Get-LocalGroupMember "administrators"} (without the {}). If it returns you an error, it is not in english. If it executes successfully, it is in english. Thanks!!! It works!! You are amazing!!!
kuyaya Posted May 12, 2020 Author Posted May 12, 2020 I'm honored and always glad to hear that it works, thank you 🙂 if you have another question, feel free to post it here :).
benhsp Posted May 14, 2020 Posted May 14, 2020 I got a problem. When I put USB into another computer. It is stuck here.How can I solve it? Thanks~
kuyaya Posted May 16, 2020 Author Posted May 16, 2020 Hm, hard to tell, since I don't know when exactly this pops up. I need to know at which point of the payload this pops up. What parts of the payload did successfully execute?
Aaron Outhier Posted July 3, 2021 Posted July 3, 2021 English Translation: Quote Make the user account control system. Do you want to allow this Ap p p to change your installation? LOGIN EDITING PROCESS Verified by: M i c r o s o f t W i n d o w s Show more detailed information. materials are available. In other words: It's the UAC prompt.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.